The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Succesful WHM Root login (not me!)

Discussion in 'Security' started by liberteh, Aug 19, 2010.

  1. liberteh

    liberteh Registered

    Joined:
    Aug 19, 2010
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Hello,

    I've been experiencing the following problems:

    One of the sites I'm hosting had an vulnerability in one of the scripts. The exact script has/can not be found yet but the strange thing is:

    The hackers seem to be able to install a shell on the users account. Then use this shell to gain access to WHM (without knowing the password).
    CSF (cPanel firewall plugin) tells me this through e-mail.

    I personally think there is a private exploit available for this, but I cannot be sure.

    Can anyone tell me anything more? Does he gain full (root) access to WHM or does he just gain authentication access (without being in WHM)

    The strange thing is: nothing has been changed or altered. I'm an experienced adminstrator. My server is pretty secured. And I know I never know for sure my machine is safe after the hacker has gained true access to it.

    The only thing I can't get my finger behind is how they gain root access to WHM with running a webshell on an user account? (who is just a shared hosting user, not reseller or anything, no access to WHM.)

    I can deliver all information if you want.

    Please help me, this has happened twice now (same hacker probably) and I want to give my users a secure feeling (I suspended the vulnerable account until we find the malicious script)
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,478
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  3. liberteh

    liberteh Registered

    Joined:
    Aug 19, 2010
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Thanks for responding! I'm aware of that tool, but I will not look towards solutions for finding any exploits. I will restore the server back to when the user did not

    Like I said, the user has not been in SSH. Only web related services (http and WHM.)

    The e-mail:

    Subject: lfd on <server>.pr0jects.nl: WHM root access alert from 188.123.173.4 (JO/Jordan/-)

    Email body: Time: Thu Aug 19 15:04:14 2010 +0200
    IP: 188.123.173.4 (JO/Jordan/-)

    Bells and alarms started since we don't use root. (can't login to SSH with root from outside. Hacker doesn't try bcuz I see no entry's for his IP trying)

    I stand by my suspicion that there is a 0day cPanel/WHM exploit available somewhere.

    Can the cPanel crew please respond? I saw you looking at my thread....
     
  4. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,461
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Please open a support ticket on the compromised system. If you already have, please PM me the ticket number.

    Thank you.
     
  5. gvard

    gvard Well-Known Member
    PartnerNOC

    Joined:
    Dec 22, 2003
    Messages:
    195
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Athens/GREECE
    cPanel Access Level:
    DataCenter Provider
    Hello,

    Did you look at WHM access logs to see what he did at the time he gained access?
     
  6. mohit

    mohit Well-Known Member

    Joined:
    Jul 12, 2005
    Messages:
    553
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sticky On Internet
    can you check if the user in question has mysql username as root.
    it may also be cpuser_root

    if i am not mistaken some older version of csf reported remote mysql connection with user root as whm access alert.

    I no longer have that OLD box where this happened else i would have tried to dig it for you.
     
  7. GaryT

    GaryT Well-Known Member

    Joined:
    May 19, 2010
    Messages:
    321
    Likes Received:
    3
    Trophy Points:
    16
    You are correct, The CSF old version did this now blocks any new users with root name.

    To be honest if I got an email where someone logged in as root and I know it wasent me, Id probably have heart attack.

    Either go by what the cPanel pros say or completly disable root via SSH, Make sure its set to JAIL for all accounts. Make a new wheel group with a new user for extra protection.

    Install CHKRootKit and Rootkit Hunter as this will help alot to find and remove the malicious script.
     
Loading...

Share This Page